Adobe Addressing Massive Data Breach, Source Code Leak

Pages

Adobe Systems has acknowledged a massive data breach of its systems, resulting in the exposure of personal data on millions of its customers as well as the precious source code that serves as the foundation to its Adobe Acrobat, ColdFusion and other products.

Adobe Thursday said attackers stole the personal data of 2.9 million people. The information included customer names, encrypted credit and debit card numbers, expiration dates and other information related to customer orders.

"Very recently, Adobe's security team discovered sophisticated attacks on our network," the company said in a statement. "We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future."

The company said it is resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. Affected customers will receive an email notification with information on how to change the Adobe password. Adobe said it also is notifying customers whose credit or debit card information was exposed in the breach. Banks and credit card processors have been notified of the incident, Adobe said.

Meanwhile, Adobe is investigating the illegal access to the sensitive servers that contained the source code for its Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products. Few details were released, but the company said that based on its findings it is not aware of any increased risk to customers as a result of the source code leak. Security experts told CRN that source code leaks can be used by hackers to discover vulnerabilities that can be exploited in widely used Adobe products.

"We are not aware of any zero-day exploits targeting any Adobe products," Adobe said. "However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide."

The guide and documentation provide security best practices for installing and using the platforms as well as implementing system updates and information for developers to build secure ColdFusion applications. Adobe credited noted security blogger Brian Krebs and Alex Holden, chief information security officer of Hold Security, for their role in helping investigate the incident.

Adobe told Krebs that investigators believe that hackers accessed a source code repository sometime in mid-August 2013. Adobe said it was looking for anomalous check-in activity on its code repositories and for other things that might seem out of place before it could understand the scope of the source code exposure.

Access to the source code is potentially the most damaging part of the Adobe breach, security experts told CRN. Cybercriminals can sell the source code to more sophisticated vulnerability researchers and malware writers to create zero-day exploits that can be used against the software, said George Tubin, a senior security strategist at Trusteer, an IBM company.

"Access to Adobe source code is a huge deal," Tubin said. "Attackers get in by exploiting vulnerabilities in popular applications and Adobe applications are so widely used; it's on almost everybody's desktop."